From 98f0d01b2ea43c71437de4d535a5a30cdc28217f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 11 Oct 2019 18:50:33 +0200 Subject: [PATCH] rule: mimikatz use extended --- rules/windows/builtin/win_alert_mimikatz_keywords.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index db3ad7586..5ba0670cb 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -1,6 +1,8 @@ title: Mimikatz Use description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) author: Florian Roth +date: 2017/01/10 +modified: 2019/10/11 tags: - attack.s0002 - attack.t1003 @@ -20,6 +22,8 @@ detection: - "* sekurlsa::logonpasswords *" - "* lsadump::sam *" - "* mimidrv.sys *" + - "* p::d *" + - "* s::l *" condition: keywords falsepositives: - Naughty administrators